Slashdot Mirror
Critical Mozilla, Thunderbird Vulnerabilities
d3ik writes "An advisory has been issued on several buffer overflow exploits in the Mozilla and Thunderbird code. Coincidentally, one of the exploits takes advantage of a unchecked buffer in the bitmap parser, very similar to recent Microsoft JPEG vulnerability.
The good news is that if you have an updated version (Mozilla 1.7.3, Firefox 1.0PR, Thunderbird 0.8) you won't be affected."
This is the difference:
We've found a bug in firefox, we're really sorry. Anyone using old versions of firefox will be affected.
We've found a bug in internet explorer, we're really sorry. We'll fix it... eventually.
Or run them side by side to see if they act properly and as expected.
What about Galeon?
it is based on Mozilla also.
has it been updated?
Mmm, I wonder what it takes to run Firefox in a chroot jail. Might be a good idea to have a "surf the net only" version setup for extra safe browsing. I fear the amount of libraries necessary to do that. Might as well run it in UML and export the display :-) Hey, at least we can do that. MS apps don't conform well to the Principle of Least Privledge.
Another difference: newer mozilla, thunderbird and firefox versions have more features and no backward problems afaik and is not complex to install (even is faster/with lesser requirements than some previous versions). To fix the jpg problem you must have XP SP2 (that causes a lot of problems) or apply a critical patch ready just for a few MS plataforms (nice when you even have a "jpeg of death" around that tries to steal your gmail account and other passwords exploiting the IE jpg vulnerability)
Does the official Netscape build get the same security fixes that Mozilla gets? Or are there just 50 known ways to exploit users of the latest Netscape browser?
That's why the currently-popular programming languages are inappropriate tools for writing software that needs to be secure.
When writing software for something like a web browser, it's critical that it's simply not possible for things like buffer overflows to go unchecked. Languages like Java and C# are a step in the right direction. But there can still be bugs in the Java and C# virtual machine implementations themselves, and both C# and Java rely on massive libraries written largely in native code, and C# in particular makes it far too easy to integrate with native code. This is all ripe for exploitation.
That's why we need a new virtual machine designed from the ground-up with security at the forefront. A simple key point: As small an instruction set as possible (think: just barely past a Turing machine) to reduce the codebase, and in turn reduce the chance of bugs in the virtual machine implementation. A second simple point: No code in the native libraries beyond necessity, and stringent, mandatory checks of every parameter. Third point: Likely re-implement the entire virtual machine within the virtual machine (like running an emulator inside an emulator), ensuring that all the safety measures are in place even in the virtual machine code, and the only code that runs on the "native" version of the virtual machine is the tiny virtual machine emulator, which is extremely small and carefully debugged.
No one has done this yet. Someone will, and they'll be famous.
told me about extension incompatibilities, checked for updates, downloaded. very slick.
all my bookmarks were back too which is very nice (though I generally disapprove of info remaining after uninstalling a program - where was this personal data stored?)
if I uninstall and upgrade Thunderbird will it keep my account info and emails?
OT, but related:
Given that there are critical vulnerabilities in IE due to the Cross-Domain vulnerability that most web users have ignored, and Microsoft can't seem to fix without major browser changes. And given that there are lots of exploitable vulnerabilities due to unpatched IIS servers out there, How long is it going to be before some genius low-life creates a worm that plays these two vulnerabilites off each other* and brings down the whole net for a week? It'll make little difference that 15% of the users have switched over to Firefox when this baby gets unleashed.
* I.e. Web sites infect the IE browsers and infected browsers infect other servers. (Seems like a natural to me.)
BTM
That was the turning point of my life--I went from negative zero to positive zero.
Does my lynx browser need updating?
2004-04-01 (2.8.5rel.2)
* fix for buffer in jpeg2ascii render code -BS
2004-02-04 (2.8.5rel.1)
* build fixes for MINGW32 -DK
* build fixes for OS/2 (reported by IZ) -TD
At least I'm not the only one. I upgraded yesterday and then spent close to two hours trying to get the damn search box back to the size it was with .9.x but no luck. I really wish you could just right click the search box and set the properties for it. Would be so much easier.
How is it that one careless match can start a forest fire, but it takes a whole box to start a campfire?
The JVM is a memory management punt; the programmer is offloading that task to Sun. But the JVM is written in C, and if it has a buffer overflow then you're just as screwed. What's more useful is a "no-execute" bit that prevents memory meant to hold data from executing code to begin with - the sort that's already available on x86-64 platforms.
Ita erat quando hic adveni.
Amazing how many asshats come out of the woodwork with these kinds of comments... Microsoft's IE has exploits that still exsist three months after public discovery. Mozilla's developers already fixed this yesterday. BIG FSKING DIFF!
Also, in Wired a short time ago, they tried to claim that Firefox had a vulnerability that had to be patched (which it did 0.9 - 0.9.1) but the vulnerability was with the Windows OS, and blocking access to a Windows OS function was what was required to fix it.
FF is still a better browser - no question about it.
Clothes make the man. Naked people have little or no influence in society - M. Twain
The Moz team should be looking with urgency at how corporate customers can keep it up to date - I'm sure that would also make it a much easier sell to business.
;)
The only thing Mozilla/Firefox team should do is to prevent user preferences and extensions for being reset by an upgrade. They are working on it, as I read in other threads. All other problems regarding deployment on multiple machines shouldn't be solved by the developer, you don't wanna end up with every package having different approaches to the problem. It must be a matter for sysadmins or the linux distro developers.
Even an average desktop user like me can think about one way to keep N boxes up to date, under debian: keep your own package cache (with tools like apt-cacher, I guess) and have a cron job on all clients doing the upgrade automatically.
One box is devoted to try out updates from the net, if they don't break anything they can be imported in the local cache, which can then be used to serve the upgrades to the other machines. The cron jobs can be offset not to overwhelm the local cache file server.
Moderators who gave parent a +5 insightful: are you nuts?
---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
That is a matter of opinion. I haven't upgraded Moz on my home machine since the 1.5->1.6 switch took out my whole e-mail store, address book, and other profile information. Fortunately I'd had the sense to back up, so 1.5 was restored with the only loss several hours of my time. It does make the argument that Mozilla doesn't have to provide security patches for older versions because of the rapid upgrade cycle rather thin, though.
I've been waiting for TBird to import Moz e-mail properly, and now that it does, I'll be shifting away from the Mozilla suite to Firefox and Thunderbird imminently. The latter seem to be far more robust than Mozilla itself, which sadly has become ever more feature-loaded and bug-ridden with the passage of time.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Same thing happened to me. Weird.
There are some others extensions that are still disabled, but WebDeveloper works just hunky dory.
"City hall" in German is "Rathaus" Kinda explains a few things......
Okay, this comment suggesting that somebody should sue Microsoft for an exploit like this was modded to +4, Interesting.
So I'd like to suggest that whoever was in charge of that part of the code in Mozilla should be sued. If that's offensive, then maybe a re-evaluation of the original post is in order?
"Derp de derp."
the debian mozilla packages currently in sid/unstable appear to be not propagating into sarge/testing due to not being built cleanly for the mips and mipsel architectures. i'm not enough of a mozilla or mips hacker to understand the exact problems with the build, but the failed build logs are available for review, if anyone wants to send hints to the debian maintainer.
if you use a more popular architecture (x86, for example), you can use the mozilla packages from unstable which are currently at 1.7.2 (1.7.3, having been released by mozilla just yesterday, has not been introduced to sid/unstable yet to my knowledge).
But there's hope: here's a good link about apt-pinning, which lets you pull select packages from sid/unstable while maintaining the rest of your system as sarge.
i just made the changes described in the link above to /etc/apt/preferences and /etc/apt/sources.list yesterday, and it worked pretty smoothly. if you run into any problems, you can try uninstalling the mozilla-browser and mozilla-mailnews packages and then reinstalling them while targetting the unstable distro like this:
debian's multi-arch focus is a Good Thing, but delays the propagation of security fixes into testing. OTOH, no one ever claimed to support testing for security fixes in the first place, so you kinda get what you were promised.you can patch without fear of breaking a gazillion programs
The downside of course being that the gazillion programs all have their own implementations of the required functionality, each with its own quirks, foibles and bugs, each taking their own chunk of disk space.
Most of what you think of as IE is just a shell for the rendering engine. In that sense, it's not a whole lot different to gecko. You can embed gecko in your apps in much the same way as you can the MSHTML component.
If and when people start doing so, you'll see people saying exactly the same thing about that, too, I'd imagine.
It's official. Most of you are morons.
Actually, the parent is correct. If you compromise Mozilla, the hack should be able to do no more than the user account that is running Mozilla. In Windows, such a hack has the potential to have admin privileges to the machine, even if the user account running the process does not (API / kernel entanglement). Given that most Windows users run with Admin privileges by default, Mozilla users on Windows are far more likely to be successfully compromised than Mozilla users on other operating systems.
We can probably hold Microsoft innocent of the arbitrary reads and writes from and to the clipboard.
The vulnerabilities exist in the first place because at the core, Closed Source and Open Source developers work the same way: a human sits down at a console and types in the code. At this stage there is no difference between Open Source and Closed Source software development. As such, similar problems are going to occur in the production phase.
And there is never any guarantee that a problem is going to be discovered. Sommetimes it takes multiple revisions before a problem is found. I'm not arguing that Open Source magically makes all bugs and security issues disappear -- however, under Open Source they are vastly more likely to be found, and due to the open nature of the code, are going to allow for quicker fixes (as the person detecting the bug can in fact fix it themselves and contribute the fix back to the maintainers).
And in the case of Mozilla, this is exactly what has been happening. People find the problems. People with no connection whatsoever to Netscape/Mozilla.org have fixed the problems. And we're wound up with a much better product because of it.
I don't see anyone here claiming that OSS is 100% secure. It isn't. However, it does have benifits to getting problems detected and fixed quicker than closed source software does.
I see it firsthand all the time. I've worked in big closed-source software development projects (IBM). I've also worked in many Open Source Software development projects (and even administer a medium-sized project myself).
Open Source has tangible benifits over Closed Source software when it comes to the detection and fixing of bugs. Deal with it.
Yaz.